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Abstract Of EP1 11 1495 

The BIOS device (108) or some other secure 
store of a portable computer (PC 100) or other 
valuable device stores a password-based 
security program (302), an encrypted password 
(306), and an encryption key (304). When the PC 
is booted, the security program executes first and 
prompts the user for a password, encrypts it with 
the stored key, and compares it with the stored 
password. If the passwords do not match, boot is 
aborted and the PC is disabled. Only if the 
passwords do match is boot continued and use of 
the PC enabled. If this security measure is 
advertised, theft of the PC is deterred because of 
the difficulty of accessing or bypassing the 
password and the security program in the BIOS 
device. The encrypted password is also 
registered with a remote trusted certificate 
authority (TCA 1 50) or is stored on a local 
extemal storage device (250). To establish or 
change the password, a communication 
connection is established from the PC to the TCA 
or storage device. If a password already exists in 
the PC, it is compared against the password 
stored by the TCA or the storage device. If they 
match, or if a password does not yet exist, the 
user is prompted for a new password, which is 
then encrypted and stored in both the BIOS 
device and the TCA or storage device. The 
password is also available for retrieval from the 
TCA or storage device in case the user forgets it. 
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(57) The BIOS device (108) or some other secure 
store of a portable computer (PC 1 00) or other valuable 
device stores a password-based security program 
(302), an encrypted password (306), and an encryption 
l^ey (304). When the PC is booted, the security program 
executes first and prompts the user for a password, en- 
crypts it with the stored key, and compares it with the 
stored password. If the passwords do not match, boot 
is aborted and the PC Is disabled. Only if the passwords 
do match is boot continued and use of the PC enabled. 
If this security measure is advertised, theft of the PC is 
deterred because of the difficulty of accessing or by- 
passing the password and the security program in the 



BIOS device. The encrypted password is also registered 
with a remote trusted certificate authority (TCA 150) or 
is stored on a local external storage device (250). To 
establish or change the password, a communication 
connection is established from the PC to the TCA or 
storage device, if a password already exists in the PC, 
It is compared against the password stored by the TCA 
or the storage device. If they match, or if a password 
does not yet exist, the user is prompted for a new pass- 
word, which is then encrypted and stored in both the BI- 
OS device and the TCA or storage device. The pass- 
word is also available for retrieval from the TCA or stor- 
age device in case the user forgets it. 
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Description 

Technicai Field 

[0001] This invention relates generally to security 
mechanisms for thwarting theft or unauthorized access 
of devices, and particularly to password mechanisms. 

Baclcqround of the Invention 

[0002] Electronic devices of all sorts are targets for 
thieves because of their typically-high value-to-size ra- 
tio. Portable computing devices, such as notebook com- 
puters, are particularly vulnerable to theft because they 
are so small, valuable, and portable. Conventional se- 
curity measures are based on physical restraints that 
use anchoring devices and locked enclosures. But 
these limit portability and convenience of use. If the de- 
vices could be made useless to anyone but the owner, 
and advertised as such, they would lose their value to, 
and hence not be as much of a target for, thieves. This 
implies the use of some sort of a password system that 
cannot be defeated easily. But conventional password 
mechanisms are Inadequate. 
[0003] Software-based password systems are used 
in portable computers today to restrict access, but they 
can be defeated either by reinstalling the operating sys- 
tem software or, in some cases, by even simpler actions, 
such as exploiting loopholes In the operating systems 
that supportthem (e.g. the "Safe Mode" In Windows 95). 
Nevertheless, providing a password on power-up of a 
computer is the simplest way to validate a user. Hard- 
ware-based security systems (e.g. those available on 
some car radios) support password control, but if the 
password Is lost, only major hardware surgery allows 
the device to be activated again. Providing a cost and 
effort barrier to defeating the password system is essen- 
tial, but it should be easier to deal with lost passwords 
and allow validation of the device by some authority. 
Public Encrypted Signatures are used to authenticate 
received infomiation as having been legitimately provid- 
ed by a user. Coding and encrypting of the password by 
using an assigned public key can serve as a means of 
ensuring that one is dealing with a unique registered de- 
vice. Trusted Certification Authorities exist to provide 
registered digital signatures and to maintain user regis- 
tration information. They can be used to register signa- 
tures for coding messages. But none of these existing 
capabilities alone provides an adequate security mech- 
anism for portable devices. 

Summary of the Invention 

[0004] The Inventors have recognized that there are 
several requirements for a security system for portable 
devices: 

• The security system should add Irttle or no cost to 
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the device either In parts or in manufacture, and it 
should not cause any additional expense to the dis- 
tribution system. 

• The cost, in effort or money, to defeat the security 
5 system should approach or exceed the value of the 

device. 

• Access to the device should be individualized to the 
owner, yet allow ownership to be transferred without 
great difficulty. 

10 • The security system should use existing hardware, 
software, and security technologies and preferably 
be suitable for installation on existing computers. 

• Any individualized infonnatlon used in the security 
system should be able to be archived by some au- 

'5 thority that could intervene If legitimate access to 
the device needed to be reestablished. 

• The security system should be attractive enough to 
become a standard and thus become supported 
economically by both device vendors and third par- 

20 ties. 

[0005] Accordingly, this invention Is directed to solv- 
ing the problems and disadvantages and meeting the 
requirements of the art. Generally according to the in- 
vention, a device security apparatus comprises the fol- 
lowing items. Storage in the device for storing a pass- 
word. The storage must be secure, In that it prevents a 
user of the device from accessing (i.e., extracting and/ 
or changing) the stored password while use of the de- 
vice Is disabled. One example of such storage Is the BI- 
OS device which stores the BIOS program of a personal 
computer. Another Item is a connector for connecting 
the device to an external entity such as a local memory 
device or a remote trusted authority. Examples of such 
connectors include an Input and output port and a net- 
work communications port of a personal computer. An- 
other item is a lock in the device that is cooperative with 
the storage and disables use of the device unless a 
password is given to the lock which corresponds to the 
stored password. The lock may illustratively be imple- 
mented as a program that also resides in secure mem- 
ory, e.g., in the BIOS device, along with the password. 
Another item is an an^angement that cooperates with the 
storage, the connector, and the lock, and responds to 
the use of the device having been enabled and the con- 
nection having been made to the extemal entity by en- 
abling the stored password to be changed if the stored 
password corresponds to a password stored by the con- 
nected external entity, and by effecting storage of the 
changed password by the extemal entity. This arrange- 
ment may also illustratively be implemented as a pro- 
gram, but it need not be stored in secure storage. 
[0006] The invention may be implemented to satisfy 
some or all of the requirements set out in the Back- 
ground section: 

1 . It adds no cost in parts to the device, with the 
possible exception of a guaranteed communication 
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capability. (But most inteliigent devices such as 
computers already have a modem). It does add one 
step in manufacturing: that of selecting the insecure 
start-up mode, to install other software. 

2. Defeating this security system would require that 5 
the device be opened and the secure storage (e.g., 
computer BIOS memory) be physically disconnect- 
ed and re-written. This Is not a simple or a cheap 
task. 

3. Not only is the device ownership Individualized, io 
but also it can be transferred or changed in asecure 
manner. 

4. No new technology is required. In fact, it might 
be possible to add this capability to some existing 
intelligent devices, such as computers. 

5. A trusted authority Is used to manage and control 
security and provides a valued service. Alternatives 
to the trusted authority can use a local plug-in de- 
vice like a PC card to act in place of the trusted au- 
thority and provide a more local version of the sys- so 
tern. 

6. Because the invention can be implemented to 
satisfy all of the above-mentioned requirements, it 
may be attractive as a standard and/or a widely-de- 
ployed commercial capability. 

[0007] These and other features and advantages of 
the present invention will become more apparent from 
the following description of an Illustrative embodiment 
of the Invention considered together with the drawing. 

Brief Description of the Drawing 

[0008] 

FIG. 1 1s a block diagram of a computer network that 
includes a first illustrative embodiment of the inven- 
tion; 

FIG. 2 is a block diagram of a computer that in- 
cludes a second Illustrative embodiment of the in- 
vention; 

FIG. 3 is a block diagram of contents of a BIOS de- 
vice of portable computers of FIGS. 1 and 2; 
FIGS. 4-6 are a functional flow diagram of opera- 
tions of a security program of the portable comput- 
ers of FIGS. 1 and 2; and 
FIG. 5 additionally includes a functional flow dia- 
gram of operations of a trusted certificate authority 
of the computer network of FIG. 1 . 

Detailed Description 

[0009] FIG. 1 shows a portable computer (PC) 100 
that includes a central processing unit (CPU) 102, a 
read-only memory (ROM) 1 04, a random access mem- 
ory (RAM) 106, a bask: input and output operating sys- 
tem (BIOS) device 108, and a disk memory 112, ail in- 
terconnected by a memory bus 114. PC 100 further in- 



cludes an input and output (I/O) Interface 116 that com- 
prises a data network interface 120 and/or a modem 
1 22, connected to CPU 1 02 by an i/O bus 1 1 8. An alter- 
native embodiment of PC 100 where I/O interface 116 
comprises an t/0 port 220 is shown in FIG. 2. As de- 
scribed so far, PC 100 Is conventional. PC 1 00 may be 
any device that has a storage element like BIOS device 
108: one whose contents cannot be easily accessed 
(extracted or changed) or bypassed by a user of the de- 
vice while operation of the device is disabled, and whose 
operability hinges on those contents. 
[001 0] BIOS device 1 08 comprises non-volatile, "per- 
manent", memory, one whose contents are preserved 
even when power is absent. Unlike ROM 1 04, however, 
it is electrically alterable and programmable under con- 
trol of special software, In orderto update BIOS over the 
life of PC 100. Storage devices of this type are known 
as programmable read-only memory (PROM), electri- 
cally-erasable PROM (EEPROM), or flash memory. 
When PC 100 Is booted, e.g., powered up, CPU 102 
begins to execute instructions out of ROM 1 04. These 
instructions cause CPU 1 02 to transfer the contents (the 
BIOS program) of BIOS device 108 into RAM 106 and 
to execute those contents out of RAM 106. Execution of 
the BIOS program boots PC 100. PC 100 cannot be 
booted without the BIOS program. And if PC 1 00 cannot 
be booted, the BIOS program cannot be updated or al- 
tered. So, if contents of BIOS device 118 get "corrupt- 
ed", either BIOS device 118 must be replaced, or PC 
100 must be returned to the manufacturer who can 
physically bypass the normal electrical connections to 
BIOS device 1 1 8 and reprogram It. This Is also conven- 
tional. 

[0011] The contents of BIOS device 1 08 are shown in 
FIG. 3. According to the invention, BIOS device 108 Im- 
plements a security mechanism for theft deterrence. In 
addition to containing the conventional BIOS program 
300, device 108 also contains a security program 302 
including encryption key 304 and password 306 entries. 
Security program 302 Is appended to the beginning of 
BIOS program 300 so that at boot time It Is loaded Into 
RAM 1 04 either prior to or along with BIOS program 300 
and is executed prior to completion of the execution of 
BIOS program 300. 

[001 2] The basic concept of the security mechanism 
Is to have a unique password 306 stored In BIOS device 
108 and require that password 306 be entered and 
matched from the keyboard or other I/O device at the 
very beginning of each boot (e.g., power-on) cycle to 
allow the boot cycle and subsequent PC 100 operation 
to continue. A mismatch of password 306 is a functional 
equivalent of a "corrupf BIOS program 300. Conse- 
quently, PC 100 is of no use to anyone who does not 
have password 306. And overriding of the security 
mechanism is very difficult. It requires either that BIOS 
device 108 be replaced with a new one, or that PC 100 
be returned to the manufacturer who can physically by- 
pass the normal electrical connections to BIOS devrce 
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108 and reprogram it. This makes PC 100 economically 
not worth stealing, and hence deters theft. 
[0013] On the one hand, the security mechanism 
must be robust enough to make Its breach or override 
too difficult to be worthwhile. On the other hand, the se- 
curity mechanism has to be flexible enough to allow use 
of the machine to be restored If the password is forgotten 
and to allow security to be restored if the password Is 
compromised or the machine changes hands legiti- 
mately. For this purpose, the concept of the trusted cer- 
tification authority (TCA) 160 is Introduced (see FIG. 1). 
[0014] TCA 150 is a repository of passwords and a 
servk:e for passwords maintenance. It may be provided, 
for example, as a sen/lce to customers by the manufac- 
turer or vendor of PCs 1 00, or as a subscription for-fee 
service by a third party. As shown in FIG. 1 , a TCA 1 50 
comprises an I/O interface 152 to a communications 
network 130 (e.g., a data network or a telephone net- 
work) that allows TCA 150 to communicate with PCs 
100, a computer 154 that executes TCA service pro- 
grams, and a depository 1 56 (e.g., a database) for stor- 
ing passwords and related information. 
[0015] In the alternative embodiment shown In FIG. 
2, a central TCA 150 is dispensed with, and each PC 
100 is provided with a security card 250 that provides 
TCA-substitute functionality for its corresponding PC 
100 only. Security card 250 comprises an I/O port 252 
that removably mates with (e.g., plugs into) I/O port 220 
of PC 100, and a memory 254. It is Illustratively a PC- 
MCIA card or a floppy disk. 

[0016] A newly-manufactured PC 100 is not secure, 
in that it does not have a valid password 306 installed 
therein; rather, password 306 has a null value. This in- 
secure mode allows PC 100 to be initialized with soft- 
ware at the factory and to be tested without hindrance, 
PC 1 00 may also be sold without a valid password 306. 
But in order to deter theft of PC 1 00 prior to it being sold 
to an end user, PC 1 00 may be programmed with a valid 
password 306 prior to leaving the factory. In the latter 
case, the password must be communicated to the pur- 
chaser at time of sale, and either password 306 and in- 
fomnatlon identifying the owner of PC 1 00 must be en- 
tered in depository 156 of TCA 150, or password 306 
must be entered In memory 254 of security card 250, as 
soon as possible. 

[0017] The functionality of security program 302 is 
shown In FIGS. 4 et seq. When execution of BIOS de- 
vice 108 contents begins, at step 400, e.g., upon power- 
up, CPU 102 activates the display and keyboard of PC 
100, at step 401. Since most BIOS programs 300 In- 
clude rudimentary display and keyboard drivers, step 
401 generally involves execution of that portion of BIOS 
program 300 that activates the display and keyboard. In 
the case of BIOS programs 300 that do not make the 
keyboard and display operable, step 401 involves exe- 
cution of a portion of security program 302 which either 
contains rudimentary display and keyboard drivers or 
which loads the display and keyboard drivers from disk 



and activates them. CPU 102 then executes program 
302 and first checks password 306 to detemnine if its 
value is null, at step 402. If it is not null, PC 100 is op- 
erating in a secure mode, and so CPU 1 02 prompts the 
5 user of PC 1 00 to enter the password, at step 404, illus- 
tratively by displaying a prompt to that effect on a display 
screen of PC 1 00. When the user responds, illustratively 
by typing the password on a keyboard of PC 100, CPU 
1 02 encrypts the received password with the stored en- 
10 cryption key 304, at step 406, and then compares the 
encrypted received password with password 306 which 
is also encrypted with key 304, at step 408, to detemilne 
if they match. If they do not match, CPU 102 halts the 
boot and further operation of PC 100, at step 410, ren- 
15 dering PC 100 unusable. If they do match, PC 100 is 
secure, and so CPU 102 completes booting PC 100, at 
step 411 . But prior to relinquishing control, program 302 
causes CPU 1 02 to prompt the user to indicate if he or 
she wishes to change the password, at step 412. If the 
20 user does not so indicate, as detemiined at step 414, 
PC 1 00 continues to operate conventionally but in a se- 
cure mode, at step 420. 

[0018] Returning to step 402, If password 306 is de- 
termined there to be null, It means that PC 100 is oper- 
ating In an Insecure mode, and so CPU completes boot- 
ing PC 100, at step 415. But prior to relinquishing con- 
trol, program 302 causes CPU 102 to prompt the user 
to establish a valid password 306, at step 41 6. If the user 
elects not to establish a password, as determined at 
step 418, PC 100 continues to operate conventionally 
in the insecure mode, at step 420. 
[0019] In order to keep the security mechanism from 
being thwarted, steps 402-410 of security program 302 
are the only ones that need to be protected from bypass 
or override, because they constitute the security gate- 
way or lock that enables or disables (controls) operabil- 
ity of PC 100. Therefore, they are the only portion of 
program 302, along with password 306 and encryption 
key 304, that must be stored in a secure memory such 
as BIOS device 1 08. Afterthat, the security gateway has 
been passed, either because the value of password 306 
is null or because the correct password was entered. In 
either case, the user is now free to use PC 1 00 in any 
way desired. Therefore, the remainder of program 302, 
which merely controls changing (Including initial estab- 
lishment) of password 306, may be stored in any other 
memory of PC 100 where it can be accessed by CPU 
102. For example, if a floppy disk Is in the disk drive, 
BIOS program 300 will attempt to complete the boot 
from it, as Is conventional In PCs, and so the remainder 
of program 302 may be stored on a floppy disk and ex- 
ecuted at this point to install or modify password 306. 
As will be seen below, password maintenance is func- 
tionally no different than upgrading or altering BIOS pro- 
gram 300, except that only a couple of entries 304 and 
306 of BIOS device 1 08 are changed and that commu- 
nications to the outside of PC 100 are taking place. 
[0020] Returning to consider the drawing, if the user 
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elects to change the password at step 414 of FIG. 4 or 
elects to establish a password at step 418, GPU 102 
proceeds to Interact with either TCA 150 In FIG. 5 or 
security card 250 in FIG. 6. Turning first to FIG. 5, CPU 
102 establishes a connection to TCA 150 via network 5 
Interface 120 and data network 130 (e.g., a LAN or the 
Internet) or via modem 122 and telephone network 130, 
at step 424, In a conventional manner. The requisite ad- 
dress of TCA 1 50 Is either stored as a part of security 
program 302, or CPU 102 prompts the user to provide 
the address, at step 422. When the connection is estab- 
lished, at step 450, PC 100 and TCA 150 cooperate to 
establish the calling user's identity, at steps 426 and 
452. For example, TCA 150 asks questions of the user 
via network 1 30, the user answers them via PC 1 00, and 
TCA 150 compares the answers against information it 
has stored in depository 1 56 about the user to detemnine 
If there is a match. Alternatively, steps 426 and 452 may 
be dispensed with In the case of changing an existing 
password. When the user's identity is established to the 
satisfaction of TCA 150, TCA 150 requests the stored 
encrypted password 306 of PC 100, at step 464, and 
CPU 102 obliges by retrieving and retuming password 
306, at step 428. If the received password 306 is not 
null, as detemiined at step 455, TCA 150 searches Its 
depository 156 for this password and any information 
paired and stored in association therewith, including a 
user's identity, at step 456. If the password is found in 
depository 156, TCA 150 detenmines if its paired infor- 
mation matches the caller's identity that was detemiined 
at step 452, at step 458. If the stored identity and the 
calling user's identity do not match, TCA 150 sends a 
notice thereof and a denial of the transaction to PC 1 00, 
at step 460, and ends the transaction by breaking the 
connection to PC 100, at step 461 . Altematlvely, If steps 
426 and 452 were not perfonmed, TCA 150 merely 
searches depository 156 for the received password at 
step 456, and checks for presence of that password in 
depository 156 at step 458. When CPU 102 detemnines 
that the transaction has been denied, at step 430, it con- 
tin ues conventional operation, at step 432, without a 
change of the password. Altematlvely, CPU 102 ne- 
gates the boot-up and halts PC 1 00 at step 432. thereby 
rendering PC 100 useless. 

[0021] If the identity of the calling user was found to 
match the user identity stored by TCA 1 50 for password 
306 of this PC 1 00 at step 458, or if the received pass- 
word was found to be null at step 455, TCA 150 gener- 
ates a new private/public encryption key pair, at step 
466, and sends the public encryption key of the pair to 
PC 100, at step 468. CPU 102 receives the public en- 
cryption key, at step 436, and stores it in encryption key 
304 of BIOS device 108, at step 368. overwriting any 
previous value of encryption key 304 in the process. 
CPU 102 then prompts the user for a new password and, 
upon receiving it, at step 440, encrypts the new pass- 
word with the stored encryption key 304, at step 442. 
Under control of the conventional special software for 



programming BIOS device 108, CPU 102 then stores 
the new encrypted password in password 306 of BIOS 
1 08, at step 444. overwriting any previous value of pass- 
word 306 In the process. Some BIOS devices may re- 
quire ovenvriting of the entire device in order to change 
any contents thereof, in which case either TCA 150 must 
supply the entire BIOS device contents with the new en- 
cryption key and password, or CPU 102 must read out 
the contents of the BIOS device to create an image 
thereof, change the encryption key and the password In 
the image, and then write the changed image back Into 
the BIOS device. CPU 102 also sends the new encrypt- 
ed password to TCA 1 50, at step 446. PC 1 00 then pro- 
ceeds to operate conventionally, at step 448. TCA 150 
receives the new encrypted password, at step 470, and 
stores it and the private key of the newly-generated en- 
cryption key pair instead of the previous password and 
key with the caller Identification infomriatlon In deposito- 
ry 1 56, at step 472. TCA 1 50 then ends its operation, at 
step 474. 

[0022] If the user should everforget the password, the 
user can retrieve it with the help of TCA 150, For exam- 
ple, the user calls an operator of TCA 150 and estab- 
lishes his or her Identity to the operator in the manner 
of steps 426 and 452. Infomnatlon about the user that Is 
stored in depository 156 may include a voiceprint of the 
user, and the operator may use this voiceprint and the 
user's voice incoming on the call to authenticate the us- 
er. Once the user has been authenticated, the operator 
directs computer 154 to decrypt the user's password. 
Computer 154 does so by retrieving the user's encrypt- 
ed password and private encryption key from depository 
156 and using the private key to decrypt the password. 
The operator then reports the decrypted password to the 
user via the call, with an admonition to change the pass- 
word as soon as possible in case the call is not secure. 
[0023] If the user of PC 100 that is equipped with a 
security card 250, as In the embodiment of FIG. 2, elects 
to change the password at step 41 4 or elects to establish 
a password at step 418, CPU 102 proceeds to interact 
with security card 250 in the manner shown in FIG. 6. 
First, CPU 1 02 checks for presence of security card 250 
in I/O port 220, at step 600. If security card 250 is not 
connected to I/O port 220. CPU 102 prompts the user 
of PC 1 00 to make the connection, at step 602, and then 
returns to step 600. If and when CPU 102 detemiines 
at step 600 that security card 250 is connected to I/O 
port 220, it may optionally check, at steps 604-608, 
whether rt is the correct security card 250 for this PC 
1 00, so as to prevent inadvertent destruction of a pass- 
word for another device. To perform this check, CPU 1 02 
retrieves from security card 250 the contents of memory 
254, at step 604, and compares these contents against 
password 306 to determine If they match, at step 606. 
If they do not match, CPU 1 02 prompts the user to con- 
nect the correct security card 250 to PC 100, at step 
608, and then retums to step 600. If and when it finds 
the correct security card 250 connected to PC 100, at 
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step 606, or if the check at steps 604-608 for the correct 
security card 250 is not performed, CPU 102 prompts 
for and receives from the user a new password, at step 
61 0. CPU 1 02 then encrypts the new password by using 
encryption l<ey 304, at step 612. Using public key en- 
cryption is not necessary, since there Is no remote agen- 
cy like TCA 150 involved. Optionally, a common key can 
be used In all PCs 1 00, as Is common In most UNIX op- 
erating system environments, for example. Under con- 
trol of the conventional special software for program- 
ming BIOS device 108, CPU 102 then stores the new 
encrypted password as password 306 In BIOS device 
108, at step 614. CPU also stores it In memory 254 of 
security card 250 In place of any previously stored con- 
tents therein, at step 616. As In step 444 of FIG. 5, se- 
curity card 250 may need to supply the entire BIOS serv- 
ice 108 contents along with the new password. Alterna- 
tively or additionally, CPU 1 02 may store the unencrypt- 
ed password in memory 254 of security card 250. This 
has the advantage that, If the user ever forgets the pass- 
word, he or she can retrieve it (read and/or display it) 
from security card 250 via another machine that has a 
compatible I/O port 220. This presumes that the user 
can be counted upon to keep security card 250 physi- 
cally secure and separate from PC 100. CPU 102 then 
continues to operate conventionally. 
[0024] Of course, various changes and modifications 
to the illustrative embodiment described above will be 
apparent to those skilled in the art. For example, the In- 
vention may be implemented differently on different de- 
vices (e.g., in manufacturer-specific or even model-spe- 
cific manner) so that, If the security of one implementa- 
tion should be breached, it will not affect all devices. For 
this purpose, a device (PC) serial number may be stored 
in ROM104 and used to Identify the manufacturer and/ 
or model. Such changes and modifications can be made 
within the scope of the invention and without diminishing 
its attendant advantages. It is therefore intended that 
such changes and modifications be covered by the fol- 
lowing claims except insofar as limited by the prior art. 



Claims 

1. A device (100) security apparatus CHARACTER- 
ISED BY storage (108) in the device for storing a 
password (306) and preventing a user of the device 
from accessing the stored password while use of 
the device is disabled; 

a connector (116) connecting the device to an 

external entity (150,250); and 

a lock (1 08) in the device, cooperative with the 

storage, that disables use of the device unless 

a password is given to the lock whk:h coae- 

sponds to the stored password; and 

an an-angement (102:302-304) cooperative 

with the storage, the connector, and the lock, 



10 

responsive to the use of the device having been 
enabled and the connection having been made 
to the external entity, for enabling the stored 
password to be changed if the stored password 
5 corresponds to a password stored by the con- 

nected external entity, and for effecting storage 
of changed said password by the external en- 
tity. 

10 2. The apparatus of claim 1 for a computer, wherein: 
the storage comprises a BIOS device (108) 
storing a BIOS program (300) of the computer and 
the password (306). 

15 3, The apparatus of claim 1 wherein: 

the connector comprises a network communi- 
cations port (120) of the device; and 
the entity comprises a remote trusted authority 
20 (150). 

4. The apparatus of claim 1 wherein: 

the connector comprises an input port (220) of 
25 the device; and 

the entity comprises a local storage device 
(250). 

5. The apparatus of claim 1 for a sto red-program-con- 
30 trolled device, wherein: 

the lock comprises a stored program (302) 
that executes upon power-up of the device. 



6. The apparatus of claim 5 for a computer (100), 
35 wherein: 

the storage comprises a BIOS device (108) 
storing a BIOS program (300) of the computer, the 
password (306), and the lock program (302). 

40 7. The apparatus of claim 1 wherein: 

the arrangement includes 
means (102:426) for establishing the user's 
identity with the extemal entity, 
means (1 02:428) for providing the stored pass- 
word to the external entity, and 
means (1 02:436 et seq.) for enabling the stored 
password to be changed in response to receiv- 
Ing an indication from the external entity that 
50 the established identity and provided password 

match an identity and the password stored by 
the externa! entity. 

8. The apparatus of claim 7 wherein: 

55 

the arrangement further includes 

means (102:440-446) responsive to receipt of 

a new password from the user, for storing the 
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new password in the storage and sending the 
new password to the external entity for storage. 

9. The apparatus of claim 1 wherein: 

5 

the storage stores an encrypted said password 
(306) and an encryption key (304); and 
the lock is adapted to be responsive to receipt 
(404) of an unencrypted password by encrypt- 
ing (406) the received password with the stored io 
encryption key, comparing (408) the encrypted 
received password with the stored encrypted 
password, and disabling (410) use of the device 
If the compared passwords do not match. 

15 

10. The apparatus of claim 9 wherein: 

the arrangement includes 
means (102:426) for establishing the user's 
identity with the external entity, ^ 
means (102:428) for providing the stored en- 
crypted password to the external entity, 
means (1 02:436 et seq.) for enabling the stored 
password to be changed in response to receiv- 
ing an indication from the external entity that 25 
the established identity and provided password 
match an Identity and the password stored by 
the external entity, 

means (102:438) for storing a new encryption 
key received from the external entity in the stor- 30 
age, and 

means (102:440-446) for encrypting a new 
password received from the user with the 
stored new encryption key, storing the encrypt- 
ed new password In the storage, and sending 35 
the encrypted new password to the extemal en- 
tity for storage. 
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